Coldfusion
by Adobe Inc.
Source repositories
CVEs (222)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-43562 | 0.01 | — | 0.33 | May 13, 2025 | ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could result in arbitrary code execution in the context of the current user. A… | |||
| CVE-2025-43560 | 0.01 | — | 0.11 | May 13, 2025 | ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security… | |||
| CVE-2025-30281 | 0.01 | — | 0.15 | Apr 8, 2025 | ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution. A high-privileged attacker could leverage this vulnerability to access or modify sensitive data without proper… | |||
| CVE-2024-53961 | 0.01 | — | 0.13 | Dec 23, 2024 | ColdFusion versions 2023.11, 2021.17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access files or… | |||
| CVE-2024-34112 | 0.01 | — | 0.24 | Jun 13, 2024 | ColdFusion versions 2023u7, 2021u13 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could exploit this vulnerability to gain unauthorized access to sensitive files or data. Exploitation of this… | |||
| CVE-2023-26361 | 0.01 | — | 0.62 | Mar 23, 2023 | Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does… | |||
| CVE-2022-35690 | 0.01 | — | 0.72 | Oct 14, 2022 | Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user… | |||
| CVE-2019-8074 | 0.01 | — | 0.19 | Sep 27, 2019 | ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Path Traversal vulnerability. Successful exploitation could lead to Access Control Bypass in the context of the current user. | |||
| CVE-2019-8073 | 0.01 | — | 0.08 | Sep 27, 2019 | ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Command Injection via Vulnerable component vulnerability. Successful exploitation could lead to Arbitrary code execution in the context of the current user. | |||
| CVE-2013-3350 | 0.01 | — | 0.08 | Jul 10, 2013 | Adobe ColdFusion 10 before Update 11 allows remote attackers to call ColdFusion Components (CFC) public methods via WebSockets. | |||
| CVE-2008-1203 | 0.01 | — | 0.15 | Mar 12, 2008 | The administrator interface for Adobe ColdFusion 8 and ColdFusion MX7 does not log failed authentication attempts, which makes it easier for remote attackers to conduct brute force attacks without detection. | |||
| CVE-2007-5905 | 0.01 | — | 0.13 | Nov 15, 2007 | Adobe ColdFusion 8 and MX 7 allows remote attackers to hijack sessions via unspecified vectors that trigger establishment of a session to a ColdFusion application in which the (1) CFID or (2) CFTOKEN cookies have empty values, possibly due to a session fixation vulnerability. | |||
| CVE-2006-5858 | 0.01 | — | 0.13 | Dec 31, 2006 | Adobe ColdFusion MX 7 through 7.0.2, and JRun 4, when run on Microsoft IIS, allows remote attackers to read arbitrary files, list directories, or read source code via a double URL-encoded NULL byte in a ColdFusion filename, such as a CFM file. | |||
| CVE-2025-61808 | 0.00 | — | 0.08 | Dec 9, 2025 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution by a high priviledged attacker. Exploitation of this issue does not require user interaction and… | |||
| CVE-2025-61812 | 0.00 | — | 0.04 | Dec 9, 2025 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could allow a high privileged attacker to gain arbitrary code execution. Exploitation of this issue does not require user interaction. | |||
| CVE-2025-61821 | 0.00 | — | 0.00 | Dec 9, 2025 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and data… | |||
| CVE-2025-64898 | 0.00 | — | 0.00 | Dec 9, 2025 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could result in limited unauthorized write access. An attacker could leverage this vulnerability to gain unauthorized access by exploiting… | |||
| CVE-2025-61809 | 0.00 | — | 0.01 | Dec 9, 2025 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write… | |||
| CVE-2025-61822 | 0.00 | — | 0.01 | Dec 9, 2025 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could exploit this vulnerability to write malicious files to arbitrary locations on the file system.… | |||
| CVE-2025-64897 | 0.00 | — | 0.00 | Dec 9, 2025 | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized write access potentially resulting in denial… |
- CVE-2025-43562May 13, 2025risk 0.01cvss —epss 0.33
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could result in arbitrary code execution in the context of the current user. A…
- CVE-2025-43560May 13, 2025risk 0.01cvss —epss 0.11
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security…
- CVE-2025-30281Apr 8, 2025risk 0.01cvss —epss 0.15
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution. A high-privileged attacker could leverage this vulnerability to access or modify sensitive data without proper…
- CVE-2024-53961Dec 23, 2024risk 0.01cvss —epss 0.13
ColdFusion versions 2023.11, 2021.17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access files or…
- CVE-2024-34112Jun 13, 2024risk 0.01cvss —epss 0.24
ColdFusion versions 2023u7, 2021u13 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could exploit this vulnerability to gain unauthorized access to sensitive files or data. Exploitation of this…
- CVE-2023-26361Mar 23, 2023risk 0.01cvss —epss 0.62
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does…
- CVE-2022-35690Oct 14, 2022risk 0.01cvss —epss 0.72
Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user…
- CVE-2019-8074Sep 27, 2019risk 0.01cvss —epss 0.19
ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Path Traversal vulnerability. Successful exploitation could lead to Access Control Bypass in the context of the current user.
- CVE-2019-8073Sep 27, 2019risk 0.01cvss —epss 0.08
ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Command Injection via Vulnerable component vulnerability. Successful exploitation could lead to Arbitrary code execution in the context of the current user.
- CVE-2013-3350Jul 10, 2013risk 0.01cvss —epss 0.08
Adobe ColdFusion 10 before Update 11 allows remote attackers to call ColdFusion Components (CFC) public methods via WebSockets.
- CVE-2008-1203Mar 12, 2008risk 0.01cvss —epss 0.15
The administrator interface for Adobe ColdFusion 8 and ColdFusion MX7 does not log failed authentication attempts, which makes it easier for remote attackers to conduct brute force attacks without detection.
- CVE-2007-5905Nov 15, 2007risk 0.01cvss —epss 0.13
Adobe ColdFusion 8 and MX 7 allows remote attackers to hijack sessions via unspecified vectors that trigger establishment of a session to a ColdFusion application in which the (1) CFID or (2) CFTOKEN cookies have empty values, possibly due to a session fixation vulnerability.
- CVE-2006-5858Dec 31, 2006risk 0.01cvss —epss 0.13
Adobe ColdFusion MX 7 through 7.0.2, and JRun 4, when run on Microsoft IIS, allows remote attackers to read arbitrary files, list directories, or read source code via a double URL-encoded NULL byte in a ColdFusion filename, such as a CFM file.
- CVE-2025-61808Dec 9, 2025risk 0.00cvss —epss 0.08
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution by a high priviledged attacker. Exploitation of this issue does not require user interaction and…
- CVE-2025-61812Dec 9, 2025risk 0.00cvss —epss 0.04
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could allow a high privileged attacker to gain arbitrary code execution. Exploitation of this issue does not require user interaction.
- CVE-2025-61821Dec 9, 2025risk 0.00cvss —epss 0.00
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and data…
- CVE-2025-64898Dec 9, 2025risk 0.00cvss —epss 0.00
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could result in limited unauthorized write access. An attacker could leverage this vulnerability to gain unauthorized access by exploiting…
- CVE-2025-61809Dec 9, 2025risk 0.00cvss —epss 0.01
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write…
- CVE-2025-61822Dec 9, 2025risk 0.00cvss —epss 0.01
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could exploit this vulnerability to write malicious files to arbitrary locations on the file system.…
- CVE-2025-64897Dec 9, 2025risk 0.00cvss —epss 0.00
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized write access potentially resulting in denial…
Page 5 of 12